stix block #2: quick wins … · session objective see if we can quickly nail down some quick wins...
TRANSCRIPT
STIX Block #2: Quick Wins
www.oasis-open.org
January 14, 2016
Session objective
See if we can quickly nail down some quick wins
VERY briefly describe apparent consensus on 10
issues/proposals
Confirm/Refute that consensus holds among F2F
attendees
VERY briefly identify any areas of non-consensus as
open questions
Post-F2F, post proposals to list (with 1 week
window) to achieve formal consensus or discuss
open questions
Ideally identify JSON Schema snippets from TWIGS
and add them to proposals
Make IDs required (RM#5) (Prop#2)
Quick summary of consensus
Both “strawmen” agree that the ID property
should be required on all constructs that support
it
Any objections to this consensus?
Remove Short_Description (prop#4)
Quick summary of consensus
Both “strawmen” agree with removing this field as
unnecessary
Any objections to this consensus?
External_IDs (prop#3)
Quick summary of consensus
Both “strawmen” agree that all IDable constructs
should support an “External_IDs” property that:
Lets you specify an ID (as a string) from some external
source/system
Provides an optional simple string “Definer”
subproperty to specify who/what the ID is from
Provides an optional simple URI “Reference”
subproperty to specify an URI to the actual ID’d
content within the external system/environment
Any objections to this consensus?
Flatten Package lists (prop#14)
Quick summary of consensus
Both “strawmen” agree that the current 2-layer
approach for component lists within Package
should be flattened to a single layer containing
0..* of each component.
Any objections to this consensus?
Remove abstract base types (prop#15)
Quick summary of consensus
Both “strawmen” agree that the current abstract
base types for the ”top-level” objects are
superfluous and should be removed and the
objects simply be defined on their own
Any objections to this consensus?
TTP refactor for clarity (RM#10) (prop#12)
Quick summary of consensus
Both “strawmen” agree that the current TTP
structure where Attack_Pattern, Malware, Exploit,
Infrastructure, Tools, Persona and
VictimTargeting are listed as properties should be
changed such that these are each subclasses of
a general TTP structure.
Any objections to this consensus?
ET refactor for clarity (prop#17)
Quick summary of consensus
Both “strawmen” agree that the current
ExploitTarget structure where Vulnerability,
Weakness and Configuration are listed as
properties should be changed such that these are
each subclasses of a general ExploitTarget
structure.
Any objections to this consensus?
Report refactor (prop#16)
Quick summary of consensus Both “strawmen” agree that due to the changes for no
embedding of content and relationships as separate
objects the Report object should be refactored to not
contain definitions of or references to content but rather,
acting as kind of a report cover sheet, all content relevant
to the report would be asserted as separate relationship
objects with a “Report Contains” nature
Any objections to this consensus?
Abstract Victim to separate construct
(prop#18)
Quick summary of consensus Both “strawmen” agree that a new Victim construct should
be created as an Identity class, that this new class should
be used for Victim characterization within Incidents, and
that a VictimTargeting class should be created that is a
subclass of both TTP and Victim with additional properties
for Targeted_Systems, Targeted_Information and
Targeted_Technical_Details.
Any objections to this consensus?
DataMarkings application (RM#2)
Quick summary of consensus
Both “strawmen” agree to the proposed and
discussed approach utilizing Marking_Definitions,
Marking_Refs (L1) and Structured_Markings (L2)
Any objections to this consensus?
Summary out
Consensus items
Non-consensus items